b'     NATIONAL CREDIT UNION ADMINISTRATION\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                            OIG EVALUATION\n                       GOVERNMENT INFORMATION\n                         SECURITY REFORM ACT\n                                  2001\n\n                   Report #OIG-01-09          September 7, 2001\n\n\n\n\n                                   Frank Thomas\n                                  Inspector General\n\n            Released by:                              Auditor in Charge:\n        William A. DeSarno                             Tammy F. Rapp\nAssistant Inspector General for Audits                Senior IT Auditor\n\x0c                   NATIONAL CREDIT UNION ADMINISTRATION\n                 OFFICE OF INSPECTOR GENERAL EVALUATION\n               GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                   2001\n\n\n                                  EXECUTIVE SUMMARY\n\n\nThe Government Information Security Reform Act (GISRA), Public Law 106-398, requires\nInspectors General (IG) to perform independent evaluations to:\n    \xe2\x80\xa2 Assess compliance with GISRA and agency security policies and procedures; and\n    \xe2\x80\xa2 Test effectiveness of information security control techniques for a subset of the\n        agency\xe2\x80\x99s information systems.\n\nThe Office of Management and Budget (OMB) has requested IGs to submit the results of their\nindependent evaluation by responding specifically to questions 2 through 13 of OMB\nMemorandum M-01-24. The following presents our evaluation of the National Credit Union\nAdministration\xe2\x80\x99s (NCUA) compliance with GISRA.\n\nThe NCUA Office of Inspector General (OIG) has determined that NCUA is not yet in\ncompliance with GISRA. The following represents the agency\xe2\x80\x99s status toward compliance with\nkey GISRA provisions as of August 2001:\n\n   \xe2\x80\xa2   NCUA needs to develop an agency-wide security program. NCUA developed a draft\n       security policy that will be incorporated in the security program. However this policy has\n       not been approved by the agency head or disseminated to personnel with key\n       responsibilities.\n   \xe2\x80\xa2   NCUA needs to perform formal risk assessments.\n   \xe2\x80\xa2   NCUA program managers need to perform periodic management testing of controls and\n       perform their annual program review as required by GISRA.\n   \xe2\x80\xa2   For the reporting cycle, NCUA has provided some security training to personnel with\n       significant security responsibilities, and security awareness training is provided to all\n       employees on a 3-year cycle coinciding with equipment replacement. New examiners\n       are provided with basic computer training, which includes security awareness.\n       Contractors and new non-examiner personnel are not provided any security awareness\n       training.\n   \xe2\x80\xa2   NCUA needs to formalize an incident response program.\n   \xe2\x80\xa2   NCUA\xe2\x80\x99s Office of the Chief Information Officer (OCIO) needs to perform the annual\n       security program review required by GISRA.\n   \xe2\x80\xa2   NCUA has not yet determined the resources required to implement the security program\n       and incorporate this program in the budget and strategic planning process.\n\nAlthough we concluded that the agency is not in compliance with GISRA, we have not opined\non actual security measures in place at the agency. According to the Chief Information Officer\n(CIO), NCUA has taken several steps to provide a secure environment, and as a result NCUA\nhas not become aware of any significant security breaches. Some examples of proactive\nsecurity practices include: matching risk to security controls; building controls into applications\nduring development; and moving forward with new technologies that have increased security.\n\n\n\n\n                                               1\n\x0c                  NATIONAL CREDIT UNION ADMINISTRATION\n                OFFICE OF INSPECTOR GENERAL EVALUATION\n              GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                  2001\n\nThe NCUA OIG with assistance from independent public accounting firms performed two audits\nduring the reporting cycle that tested the effectiveness of information security and internal\ncontrols:\n\n   \xe2\x80\xa2   On March 15, 2001, the OIG issued a report on our review of SAP Security & Control.\n       SAP is used by NCUA to primarily perform online payment and accounting of agency\n       financial transactions. The purpose of our review was to assess controls in the following\n       areas: SAP Security; Data Integrity; Information Technology (IT) Infrastructure; and\n       Business Processes. Our review included inquiry of personnel, observation of\n       operations, and performance of tests within SAP. Our review identified several internal\n       control weaknesses in the SAP security configuration. The most significant findings\n       were related to segregation of duties and inappropriate user access privileges. NCUA\xe2\x80\x99s\n       consolidated response to the 42 recommendations was positive, and NCUA stated all of\n       the recommendations were either implemented or agreed to.\n\n   \xe2\x80\xa2   On March 31, 2001, the OIG issued the Financial Statement Audit Report for the year\n       ended December 31, 2000. The purpose of this audit was to express an opinion on\n       whether the financial statements were fairly presented. In addition, the contractor\n       reviewed the internal control structure and evaluated compliance with laws and\n       regulations as part of the audit. The independent public accounting firm expressed\n       unqualified opinions, stating that the financial statements were presented fairly.\n       Although the independent public accounting firm did not find any matters considered to\n       be material weaknesses in their review of the internal control structures pertinent to final\n       reporting, they made six recommendations relating to weaknesses identified in the area\n       of information security. NCUA agreed to implement all of the recommendations.\n\n\n\n\n                                              2\n\x0c                   NATIONAL CREDIT UNION ADMINISTRATION\n                 OFFICE OF INSPECTOR GENERAL EVALUATION\n               GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                   2001\n\n OBJECTIVES, SCOPE,\n AND METHODOLOGY\n\n\nOBJECTIVES:\n\nThe objectives of our review were to:\n\n    \xe2\x80\xa2   Assess compliance with GISRA and agency security policies and procedures;\n    \xe2\x80\xa2   Provide a synopsis of recent audits where tests of information security control\n        techniques were performed for a subset of the agency\xe2\x80\x99s information systems; and\n    \xe2\x80\xa2   Provide OMB with the results of our independent evaluation and specific evaluation of\n        questions 2 through 13 of M-01-24.\n\n\nSCOPE AND METHODOLOGY:\n\nWe reviewed the provisions of GISRA and associated OMB guidance. Our review procedures\nincluded inquiry of personnel with responsibilities associated with GISRA and some document\nreview. We also reviewed the CIO\xe2\x80\x99s draft response to OMB\xe2\x80\x99s 01-24 dated August 31, 2001.\n\nOur review focused on the agency\xe2\x80\x99s overall security framework, and we did not conclude on\nactual security measures in place.\n\nThis review was conducted at NCUA\xe2\x80\x99s Central Office in Alexandria, Virginia, during August 2001\nand covered the period from January 2001 through August 2001.\n\n\n\n\n                                            3\n\x0c                  NATIONAL CREDIT UNION ADMINISTRATION\n                OFFICE OF INSPECTOR GENERAL EVALUATION\n              GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                  2001\n\n OMB QUESTIONS 2 - 13\n\nIn specific response to OMB\xe2\x80\x99s Memorandum M-01-24, the OIG\xe2\x80\x99s evaluation of questions 2\nthrough 13 is presented below:\n\n2. Identify the total number of programs included in the program reviews or independent\n   evaluations.\n\n   NCUA has not identified programs for this purpose. However, NCUA identified seven\n   mission critical systems. The agency should consider including other critical systems that\n   are maintained by other agencies such as the agency\xe2\x80\x99s personnel processing system,\n   payroll system, time and attendance system, disbursement system, etc. In addition, the\n   agency needs to ensure that all critical systems have a program manager assigned with the\n   responsibility for each system.\n\n   The agency did not perform any program reviews during this reporting cycle. The OIG\n   performed two independent evaluations that included information security and internal\n   controls during this reporting period: SAP Security Review and 2000 Financial Statement\n   Audits. Both independent evaluations included NCUA\xe2\x80\x99s core financial system, which is one\n   of the agency\xe2\x80\x99s mission critical systems.\n\n3. Describe the methodology used in the program reviews and the methodology used in the\n   independent evaluations.\n\n       a. SAP Security Review\n            The overall objective of the SAP Security Review was to ensure that the existing\n            control environment and security infrastructure of the SAP system was adequate.\n            The review included assessment of controls in the areas of SAP security, data\n            integrity, information technology infrastructure, and business processes\n            surrounding the SAP modules. Review procedures included inquiry of personnel,\n            observation of operations, and performance of tests within SAP.\n\n       b. 2000 Financial Statement Audits\n             The purpose of the financial statement audits was to express an opinion on\n             whether the financial statements were fairly presented. In addition, the internal\n             control structure and compliance with laws and regulations were evaluated. The\n             audit procedures included inquiry of personnel, review of policies and\n             procedures, observation of operations, and limited testing of information\n             technology controls.\n\n4. Report any material weakness in policies, procedures, or practices as identified and\n   required to be reported under existing law.\n\n   Although no material weaknesses were reported under existing law, our review of the\n   financial system revealed many significant security weaknesses. According to agency\n   officials, these weaknesses have been addressed. As a result of this evaluation, we\n   observed material weaknesses and made several recommendations regarding the agency\xe2\x80\x99s\n\n\n\n\n                                             4\n\x0c                   NATIONAL CREDIT UNION ADMINISTRATION\n                 OFFICE OF INSPECTOR GENERAL EVALUATION\n               GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                   2001\n\n   overall information security framework. The OIG plans to perform a follow-up review of all\n   security related recommendations during the next reporting cycle.\n\n5. Describe the specific measures of performance used by the agency to ensure that agency\n   program officials have: 1) assessed the risk to operations and assets under their control; 2)\n   determined the level of security appropriate to protect such operations and assets; 3)\n   maintained an up-to-date security plan (that is practiced throughout the life cycle) for each\n   system supporting the operations and assets under their control; and 4) tested and\n   evaluated security controls and techniques. Include information on the actual performance\n   for each of the four categories.\n\n       a. Although the annual appraisal process is a tool used by the Office of the Executive\n          Director (OED) to ensure managers fulfill their responsibilities, there were no specific\n          measures of performance to ensure that agency program officials have performed\n          the following:\n              \xe2\x80\xa2 Assessed the risk to operations and assets under their control;\n              \xe2\x80\xa2 Determined the level of security appropriate to protect such operations and\n                   assets;\n              \xe2\x80\xa2 Maintained an up-to date security plan for each system supporting the\n                   operations and assets under their control; and\n              \xe2\x80\xa2 Periodically tested and evaluated security controls and techniques.\n\n       b. NCUA program officials:\n            \xe2\x80\xa2 Have not performed any formal risk assessments for operations and assets\n               under their control;\n            \xe2\x80\xa2 Although it appears that program officials participate in determining some\n               level of security and controls over their respective operations, this process is\n               informal and undocumented. The OIG was unable to determine if their\n               determination of controls was based on an evaluation of the risks to\n               information systems and data and the costs of implementing specific controls;\n            \xe2\x80\xa2 Have not developed a security plan for each system supporting the\n               operations and assets under their control; and\n            \xe2\x80\xa2 Have not periodically tested and evaluated security controls and techniques\n               for systems under their control.\n\n6. Describe the specific measures of performance used by the agency to ensure that the\n   agency CIO: 1) adequately maintains an agency-wide security program; 2) ensures the\n   effective implementation of the program and evaluates the performance of major agency\n   components; and 3) ensures the training of agency employees with significant security\n   responsibilities. Include information on the actual performance for each of the three\n   categories.\n\n       a. Although the annual appraisal process is a tool used by OED to ensure managers\n           fulfill their responsibilities, there were no specific measures of performance to ensure\n           that the agency CIO:\n                \xe2\x80\xa2 Adequately maintains an agency-wide security program;\n               \xe2\x80\xa2\n\n\n                                              5\n\x0c                   NATIONAL CREDIT UNION ADMINISTRATION\n                 OFFICE OF INSPECTOR GENERAL EVALUATION\n               GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                   2001\n\n               \xe2\x80\xa2   Ensures the effective implementation of the program and evaluates the\n                   performance of major agency components; and\n               \xe2\x80\xa2   Ensures the training of agency employees with significant security\n                   responsibilities.\n\n       b. The CIO:\n             \xe2\x80\xa2 Recently assigned the role of senior information security official to a senior\n                   information technology specialist as part of his ancillary responsibilities;\n               \xe2\x80\xa2   Has not developed an agency-wide security program or ensured the effective\n                   implementation of the program and evaluated the performance of major\n                   agency components;\n               \xe2\x80\xa2   Has ensured the training of agency employees with significant security\n                   responsibilities.\n\n7. Describe how the agency ensures that employees are sufficiently trained in their security\n   responsibilities. Identify the total number of agency employees and briefly describe what\n   types of security training was available during the reporting period, the number of agency\n   employees that received each type of training, and the total costs of providing such training.\n\n   NCUA provided security training to all employees in conjunction with its notebook computer\n   replacement in Spring 2000. New examiners are provided with basic security training when\n   they are provided with their equipment. However, new non-examiner employees and\n   contractors with access to NCUA\xe2\x80\x99s information technology resources do not receive any\n   security training. NCUA should consider providing periodic security awareness updates to\n   all employees and contractors.\n\n8. Describe the agency\xe2\x80\x99s documented procedures for reporting security incidents and sharing\n   information regarding common vulnerabilities. Include a description of procedures for\n   external reporting to law enforcement authorities and to the General Services\n   Administration\xe2\x80\x99s Fed CIRC. Include information on the actual performance and the number\n   of incidents reported.\n\n   NCUA does not have documented procedures for reporting security incidents and sharing\n   information regarding common vulnerabilities. NCUA\xe2\x80\x99s security incident process is informal\n   and undocumented.\n\n9. Describe how the agency integrates security into its capital planning and investment control\n   process. Were security requirements and costs reported on every FY02 capital asset plan\n   (as well as exhibit 53) submitted by the agency to OMB? If no, why not?\n\n   Although NCUA is not required to complete a capital asset plan with its budget submission\n   to OMB, NCUA intends to incorporate security with its strategic plan and enterprise\n   architecture. NCUA has not taken any steps to ensure that plans to fund and manage\n   security are built into life-cycle budgets for information systems.\n\n\n\n\n                                              6\n\x0c                   NATIONAL CREDIT UNION ADMINISTRATION\n                 OFFICE OF INSPECTOR GENERAL EVALUATION\n               GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                   2001\n\n10. Describe the specific methodology used by the agency to identify, prioritize, and protect\n    critical assets within its enterprise architecture, including links with key external systems.\n    Describe how the methodology has been implemented.\n\n   NCUA plans to complete its enterprise architecture by June 30, 2002.\n\n11. Describe the measures of performance used by the head of the agency to ensure that the\n    agency\xe2\x80\x99s information security plan is practiced throughout the life cycle of each agency\n    system. Include information on the actual performance.\n\n       a. Specific measures of performance have not been identified to ensure that the\n           agency\xe2\x80\x99s information security plan is practiced throughout the life cycle of each\n           agency system.\n\n       b. NCUA informally incorporated information security throughout the life cycle of each\n           agency system.\n\n12. Describe how the agency has integrated its information and information technology security\n    program with its critical infrastructure protection responsibilities, and other security programs\n    (e.g., physical and operational).\n\n   NCUA intends to integrate all of its security responsibilities when it develops the agency-\n   wide information technology security program.\n\n13. Describe the specific methods (e.g., audits or inspections) used by the agency to ensure\n    that contractor provided services (e.g., network or website operations) or services provided\n    by another agency are adequately secure and meet the requirements of the Security Act,\n    OMB policy and NIST guidance, national security policy, and agency policy.\n\n       a. NCUA utilizes agency employees to informally monitor contractors that supplement\n           NCUA\xe2\x80\x99s information technology staff.\n\n       b. NCUA has not performed any steps to ensure that services provided by another\n           agency are adequately secure and meet the requirements of the Security Act, OMB\n           policy and NIST guidance, national security policy, and agency policy.\n\n\n\n\n                                                7\n\x0c                  NATIONAL CREDIT UNION ADMINISTRATION\n                OFFICE OF INSPECTOR GENERAL EVALUATION\n              GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                  2001\n\n RECOMMENDATIONS\n\n\nIn order to comply with GISRA:\n\n   1. The Executive Director should develop specific performance measures to ensure that a\n      successful security program is developed, maintained, and implemented throughout the\n      agency.\n\n   2. The Executive Director should develop specific performance measures to ensure that\n      senior program managers have:\n         a. Assessed the risk to operations and assets under their control;\n         b. Determined the level of security appropriate to protect such operations and\n              assets;\n         c. Maintained an up-to-date security plan for each system supporting the operations\n              and assets under their control; and\n         d. Periodically tested and evaluated security controls and techniques.\n\n   3. The Executive Director should develop specific performance measures to ensure that\n      the CIO:\n          a. Adequately maintains an agency-wide security program;\n          b. Ensures the effective implementation of the program and evaluates the\n             performance of major agency components; and\n          c. Ensures the training of agency employees with significant security\n             responsibilities.\n\n   4. The Executive Director should ensure that the agency has trained all personnel sufficient\n      to assist the agency in complying with the requirements of GISRA and related agency\n      security policies and procedures.\n\n   5. The Executive Director should develop specific performance measures to ensure that\n      the CIO and senior program managers:\n          a. Annually evaluate the effectiveness of the agency information security program,\n             including testing control techniques, and implement appropriate remedial actions\n             based on the evaluation; and\n          b. Report the results of such tests and evaluations and progress made on remedial\n             actions.\n\n   6. The Executive Director should evaluate the resources required to implement the security\n      program and consider such resources in the annual budgeting and strategic planning\n      process.\n\n   7. The Executive Director should ensure that security is incorporated with its strategic plan\n      and enterprise architecture.\n\n   8. The CIO should develop and maintain an agency-wide security program that integrates\n      all of NCUA\xe2\x80\x99s security responsibilities and includes the following elements:\n\n\n\n                                             8\n\x0c                   NATIONAL CREDIT UNION ADMINISTRATION\n                 OFFICE OF INSPECTOR GENERAL EVALUATION\n               GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                   2001\n\n           a. Periodic risk assessments that consider internal and external threats to the\n              integrity, confidentiality, and availability of systems and data;\n           b. Policies and procedures that are based on risk assessments that cost effectively\n              reduce information security risks to an acceptable level;\n           c. Periodic security awareness training to inform and remind all employees,\n              contractors, and other users of agency systems of their information security risks\n              and respective security responsibilities;\n           d. Periodic management testing and evaluation of the effectiveness of information\n              security policies and procedures;\n           e. A process for ensuring remedial action to address any significant deficiencies;\n              and\n           f. Procedures for detecting, reporting, and responding to security incidents.\n\n   9. The CIO should ensure that the agency effectively implements and maintains\n      information security policies, procedures, and control techniques.\n\n   10. The CIO should propose through the agency budget process that the senior information\n       security official is given adequate resources to perform security related responsibilities.\n\n   11. The CIO should perform an annual evaluation of the agency-wide security program.\n\n   12. The CIO should develop specific methods to ensure the adequate security of contractor\n       provided services.\n\n   13. Senior program managers should assess the information security risks associated with\n       the operations and assets for programs and systems over which they have control.\n       These risk assessments should be documented and periodically reevaluated.\n\n   14. Senior program managers should determine the levels of information security\n       appropriate to protect operations and assets under their control. These control\n       assessments should be documented and periodically reevaluated.\n\n   15. Senior program managers should periodically test and evaluate information security\n       controls and techniques, as well as perform an annual program review in consultation\n       with the CIO.\n\n   16. Senior program managers should develop a security plan for each system supporting\n       the operations and assets under their control.\n\n   17. Senior program managers should develop specific methods to ensure that information\n       technology services provided by other agencies are adequately secure.\n\n   18. The CIO should assist the senior program managers with their responsibilities outlined\n       above.\n\nThe initial response we received from the Office of the Executive Director indicated they\ngenerally agreed with all of the above recommendations.\n\n\n\n\n                                              9\n\x0c                  NATIONAL CREDIT UNION ADMINISTRATION\n                OFFICE OF INSPECTOR GENERAL EVALUATION\n              GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                  2001\n\n ATTACHMENTS\n\nExhibit 1: SAP Security Audit\n               (Executive Summary)\nExhibit 2: Financial Statement Audit 2000\n               (Executive Summary and Observations and Recommendations)\n\n(Attachments transmitted separately.)\n\n\n\n\n                                        10\n\x0c'